IBM Support

IT40013: Address Apache Log4j 1.2.x vulnerabilities in the TPF Operations Server 32-bit console and Java API support.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • See Problem Summary.
    

Local fix

Problem summary

  • APAR NUMBER:  IT40013
    PRODUCT:  TPF Operations Server Ver 1.2
    FUNCTIONAL AREA:  TPF OPERATIONS SERVER VER. 1.2
    SHIPPED IN VERSION:  1.2.06
    
    ABSTRACT:
    Address Apache Log4j 1.2.x vulnerabilities in the TPF
    Operations Server 32-bit console and Java API support.
    
    PACKAGE CONTENTS:
    (N) tosapar_IT40013.bat
    (N) uninstall_IT40013.bat
    (C) apilog.properties
    (C) com.ibm.tpf.tos_1.2.6.jar
    (C) console/console.exe
    (N) console/jcon.bat
    (C) console/LockConsole.class
    (C) consolelog.properties
    (C) Log4jPlugin_1.2.6.jar
    (C) TOSApi_1.2.6.jar
    
    COMMENTS:
    The TPF Operations Server 32-bit console and Java API support
    used Apache Log4j 1.2.x, which is affected by CVE-2021-4104.
    

Problem conclusion

  • SOLUTION:
    The TPF Operations Server 32-bit console and Java API support
    is upgraded to Apache Log4j 2.17.1 to address the vulnerability
    described by CVE-2021-4104. To support Apache Log4j 2.17.1, the
    TPF Operations Server is also upgraded to use IBM Eclipse SDK
    (IES) 4.8 and IBM SDK, Java Technology Edition, 8.
    
    The following capabilities are affected by the upgrade to IES
    4.8:
    
    1. The fast view bar is removed because it is no longer
    supported by the Eclipse Rich Client Platform (RCP). The
    Session Starter view window initially displays in the
    application main area. You can click the minimize button on the
    Session Starter view window to minimize the tab. The
    -HIDEFASTVIEWBAR option is ignored in the updated 32-bit
    console.
    
    2. To access the information center plug-ins with the updated
    Java console, you must put the plug-in folders in the dropins
    directory (for example, C:\Program Files (x86)\IBM
    TOS\console\dropins) instead of the plugins directory (for
    example, C:\Program Files (x86)\IBM TOS\console\plugins). If
    the dropins directory does not exist, you must create the
    directory.
    
    3. The updated Log4jPlugin_1.2.6.jar is built with Apache Log4j
    2.17.1. The updated Java console and API support use the
    consolelog.properties and apilog.properties configuration files
    to log errors to the Windows Event Log.
    
    4. There is an issue in Eclipse 4.8 that causes the console
    tabs to be invisible. When you drag and drop all tabs outside
    the application main area of the 32-bit console, the console
    tabs become invisible and cannot be accessed. Restart the
    console program to reset the application main area.
    
    To install the updated TPF Operations Server 32-bit Java
    support, run the tosapar_IT40013.bat program as an
    administrator. The batch script will back up the previous
    32-bit Java support in the .\APAR\pre-IT40013 directory. This
    APAR package also provides the uninstall_IT40013.bat program to
    remove the APAR and restore the previous 32-bit Java support.
    You can run the uninstall program only if APAR IT40013 is the
    latest APAR that was installed in the TPF Operations Server
    environment.
    
    You must rebuild any TPF Operations Server 32-bit Java API
    applications with the updated Log4jPlugin_1.2.6.jar,
    TOSApi_1.2.6.jar, and apilog.properties files.
    
    COREQS: NO
    None.
    
    MIGRATION CONSIDERATIONS: YES
    Before you apply this APAR to your system, ensure that TPF
    Operations Server 1.2.06 or later is installed.
    
    To apply this APAR to your system, complete the following steps:
    1.  Fall back the z/TPF system.
    2.  Stop all clients.
    3.  [Optional] Back up TPF Operations Server Java API
    applications, if any.
    4.  [Optional] If information center plug-ins are installed
    in the .\console\plugins directory, copy the information center
    plug-ins to the .\console\dropins directory.  If the dropins
    directory does not exist, create it.
    5.  Stop the server.
    6.  Extract the contents of the IT40013.zip file to a temporary
    location.
    8.  Run the tosapar_IT40013.bat program as an administrator.
    9.  Restart the server.
    10. Restart all client sessions.
    11. Fall back the z/TPF system.
    12. [Optional] Recompile any TPF Operations Server Java API
    applications with the updated Log4jPlugin_1.2.6.jar,
    TOSApi_1.2.6.jar, and apilog.properties files.
    
    You can run the uninstall program only if APAR IT40013 is the
    latest APAR that was installed in the TPF Operations Server
    environment. To uninstall the APAR and restore the previous
    32-bit
    Java support, complete the following steps:
    1.  Fall back the z/TPF system.
    2.  Stop all clients
    3.  Stop the server
    4.  Run the uninstall_IT40013.bat program as an administrator.
    5.  Restart the server.
    6.  Restart all client sessions.
    7.  Fall back the z/TPF system.
    8.  [Optional] Restore the previous version of TPF Operations
    Server Java API applications.
    
    
    
    UPDATED INFORMATION UNITS: YES
    TPF Operations Server User's Guide
    
    See your IBM representative if you need additional information.
    
    DOWNLOAD INSTRUCTIONS:
    https://www.ibm.com/support/docview.wss?uid=swg27049608
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT40013

  • Reported component name

    TPF OPS SRV W/2

  • Reported component ID

    5799GKX00

  • Reported release

    120

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2022-02-18

  • Closed date

    2022-04-20

  • Last modified date

    2022-04-20

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Publications Referenced
SK2T8062    

Fix information

  • Fixed component name

    TPF OPS SRV W/2

  • Fixed component ID

    5799GKX00

Applicable component levels

[{"Line of Business":{"code":"LOB35","label":"Mainframe SW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSZL53","label":"TPF"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"120"}]

Document Information

Modified date:
21 April 2022